If you examine the SQL Server Agent Proxy window you will notice a separate window where “Principal’s” can be assigned.  The question comes up “”What exactly is a proxy principal anyway?”

A  proxy is created to be mapped to a credential in order to allow a specific agent job subsystem the ability to run under the security context of the credential rather than in the context of the agent service account.  This provides the ability to escalate the security context of a single task in a job rather than having to escalate the permissions of the agent service account, but what is a proxy principal? 

SQL Login can be granted permission to manage SQL agent jobs by adding them to one of three fixed database roles in the MSDB database, technet outlines these roles here:




Since proxies are created to be used with SQL Server agent job tasks you might think that by assigning a user to these fixed database roles would allow the user to use in the appropriate task subsystem, but think again. 

To demonstrate this I have created a credential called SQLCredential that maps to a local user:

imageI  have also created a proxy for the Operating System (CmdExec) subsystem that maps to the SQLCredential:

imageIn the same instance of SQL I created a user, SQLAgentUser, and assigned it to the msdb fixed server roles SQLAgentOperatorRole, SQLAgentReaderRole, SQLAgentUserRole:

imageConnecting to SSMS as  SQLAgentUser and creating a job you would think that the newly created proxy would be available for an operating system(CmdExec), but guess again!

imageAs you can see the Run as option is disabled.  Despite the permissions provided in the 3 fixed database roles none of the permit the use of the proxies.

To allow the SQLAgentUser to assign a proxy they must be assigned this permission in the proxy principal.

From within the proxy window within the Principals select the Principal type of SQL Login and select the SQLAgentUser. 

imageOnce back in SSMS as SQLAgentUser and creating the job using the Operating system(CmdExec task the Proxy is now available:


It is possible to allow the all users assigned to a specific msdb fixed database role the ability to access a proxy by setting the role as a principal in the proxy: